The Anubis ransomware group has struck the Adriatic Port Authority in a targeted attack that disrupted maritime logistics across the region, encrypted core operational systems, and exfiltrated sensitive corporate and employee data, according to new threat intelligence published by Resecurity. The attackers demanded a US$10 million bitcoin ransom and threatened to leak stolen files within seven days, illustrating how an IT-focused intrusion can cascade into real-world physical and economic disruption in a cyber-physical sector.
What Happened
Resecurity reports that Anubis operators breached the Adriatic Port Authority through a spear-phishing email carrying a malicious attachment. Once an employee opened the file, the payload deployed inside the organization's network and gave the attackers an initial foothold. From there, they escalated privileges and exploited unpatched vulnerabilities to move laterally across the IT environment.
The intrusion culminated in the encryption of systems supporting cargo tracking, shipping schedules, and customs processing. The operational fallout was immediate: shipments were delayed and vessels were rerouted, with the disruption rippling across maritime trade throughout the Adriatic. Notably, the attackers achieved this physical-world impact without ever directly touching operational technology (OT) systems, hitting traditional IT infrastructure instead.
What Was Taken
Beyond encryption, the operation followed the now-standard double-extortion playbook. Resecurity confirms the attackers exfiltrated sensitive data prior to locking systems, including:
- Commercial contracts and business agreements
- Employee records and personal information
With this data in hand, Anubis set a US$10 million bitcoin demand and a seven-day deadline, warning that the stolen information would be published if the ransom went unpaid. The stolen contracts and personnel files create lasting exposure for the port authority, its partners, and individual employees regardless of whether systems are restored from backups.
Why It Matters
This incident is a textbook example of how attacks on conventional IT can generate severe consequences in critical-infrastructure sectors that depend on the physical movement of goods. Ports sit at the intersection of expanding digitalization, interconnected logistics platforms, and frequently limited cybersecurity maturity, a combination that makes them high-value, soft targets.
Resecurity also frames the attack as a strategic warning. The tactics, techniques, and procedures used here could be readily adopted by nation-state actors conducting gray-zone operations or pursuing leverage during broader geopolitical conflicts involving maritime infrastructure. Given the trajectory of digitalization and the strategic importance of supply chains, the firm expects ransomware pressure on maritime and critical infrastructure to intensify through the remainder of the decade.
The Attack Technique
The kill chain reported by Resecurity is straightforward but effective:
- Initial access via a spear-phishing email with a malicious attachment.
- Payload execution delivering the ransomware foothold once the attachment was opened.
- Privilege escalation to expand control within the network.
- Lateral movement enabled by exploiting unpatched vulnerabilities.
- Data exfiltration followed by encryption of logistics, scheduling, and customs systems.
The reliance on phishing for entry and unpatched flaws for movement underscores that this was not an exotic zero-day operation, but rather an exploitation of common, preventable security gaps in aging port infrastructure.
What Organizations Should Do
Maritime operators and other critical-infrastructure entities can reduce exposure to attacks like this with the following measures:
- Harden the human layer: deploy phishing-resistant email filtering, attachment sandboxing, and continuous user awareness training to blunt the most common entry vector.
- Close the patch gap: maintain an aggressive vulnerability management and patching cadence, prioritizing internet-facing and privilege-bearing systems that enable lateral movement.
- Segment IT from OT and logistics systems: limit blast radius so an IT compromise cannot freeze cargo tracking, scheduling, and customs processing.
- Enforce least privilege and monitor for escalation: implement strong identity controls, MFA, and detection for anomalous privilege escalation and lateral movement.
- Maintain tested, offline backups: ensure rapid recovery of critical operational systems and rehearse restoration to minimize downtime.
- Prepare for double extortion: build an incident response and communications plan that accounts for data leak threats, not just encryption, including legal, regulatory, and notification workflows.